About data security with Safari-only mode in OS X Lion

If you have enabled iCloud's Find My Mac feature in OS X Lion, then you will notice that the OS X log-in screen now shows a Guest user account, which when clicked will offer the option for rebooting the system into Safari-only mode.

This mode will run the system in a limited environment where it can be used for Web surfing, but not much else. The system will only allow Safari to run in plain vanilla form without any plugins (including Flash) or extras running, and if you quit the browser then the system will restart back to the log-in screen.

Safari-only mode works by booting the system using the read-only recovery disk image stored on the Mac's "Recovery HD" partition that is created when you install Lion. If for some reason you do not have this partition available (some circumstances prevent Lion from creating a Recovery partition), then you will not be able to use Safari Only mode.

Because the system boots to a read-only image, when Safari is loaded it can neither access your boot drive nor save information to the system in any form, including temporary items such as caches and cookies. Therefore, people can browse wherever they like on the Web without harming your data or the OS installation on the system.

Safari-only mode has two purposes. The first and perhaps more obvious one is that it offers a quick way for guest users to access the Web so you do not have to either enable guest log-in on your system or set people up with a new account. Unfortunately Safari-only mode does require a restart of the system so this may only be convenient if all local accounts are properly logged out. If not, then the system will force your applications to quit and you may lose unsaved changes.

The second reason for Safari mode is its main purpose, which is to provide a means for the system to be used without potential damage or access to your data in the event your system has been stolen. Safari-only mode is enabled with iCloud's Find My Mac feature, which requires location services to be active and used in order to track the computer. By allowing thieves the opportunity to use the Mac in a limited way, the system will be able to send location information to the iCloud service and allow you to see where your computer is being used.

Having Safari-only mode run from the Lion recovery partition has the added benefit where it will work even if you have Apple's FileVault 2 disk encryption enabled. Generally, full-disk encryption means you would need to provide credentials to first unlock the disk before you can access any files or run any system software on it. However, since the boot image is stored on the recovery partition that is left unencrypted by filevault, then even though your data is locked away the system can still load Safari and send location information to iCloud to help recover your system.

Find My Mac with Safari-only mode is a good option for being able to locate your Mac, but some people have wondered about whether it adds extra security for your files. Unfortunately this is not the case. While Safari-only mode itself will not allow direct access to your files, unless you take precautions for securing your files then thieves can still take measures to bypass the operating system's security and gain access to the hard drive. For instance, someone can restart a system into Single User mode, which bypasses the OS X user interface and drops you to the command prompt as the root user. In this mode, someone who knows what he or she is doing can gain access to the whole system if needed. More easily, a thief can boot the system to Target Disk mode or even remove the hard drive and attach it as an external drive on another system to bypass the OS X security and gain access to the drive.

These concerns are legitimate, but luckily there are measures that can be taken against each of them:

1. Alternate boot modes
   
   Alternate boot options like OS-based Single User and Safe Boot modes, and hardware-based Target Disk mode, boot drive selection, and even resetting the PRAM can be prevented by setting a firmware password on the Mac. To set a firmware password, reboot to Lion's recovery partition by holding Command-R, followed by choosing "Firmware Password" from the Utilities menu. Follow the instructions in the utility and your password should then be set. Now to boot to alternate volumes you will have to provide the firmware password, and to reset PRAM or use alternate boot modes you will have to use this utility to disable the firmware password.
   Unfortunately firmware passwords can be reset by altering a system's hardware configuration (e.g., removing and reinstalling RAM), but it is one step that can help prevent a system from being inappropriately accessed. If a Mac is locked down (such as at a desk, or in a computer lab), then a firmware password may greatly help since the only way to alter the system's hardware would be to physically damage it to gain access to the interior.
   Since firmware passwords prevent booting to alternative volumes, some people may wonder if having one enabled will allow Safari-Only mode to work. Firmware passwords will only prevent alternative boot drive selection at startup when the firmware itself is being instructed to make the change, and will not prevent a loaded operating system from designating a boot drive. Since Safari-only mode is enabled from within the operating system when you click the Guest account, the boot drive switch is made from within the operating system and not by the firmware.


2. Physical access to the hard drive
   
   Regardless of the measures available for either the firmware or operating system to secure files on a disk, if someone gains physical access to the disk then they can attach it to any device they want (even if this means physically removing it from your Mac) and read data from it. Therefore, the only real way to secure files on a drive is to enable some form of encryption to prevent files from being read. In versions of OS X prior to Lion, Apple's encryption approach was to encase user home folders into an encrypted disk image that would mount at log-in, but in Lion Apple replaced this with a full disk encryption option commonly referred to as FileVault 2.
   Enabling FileVault 2 can be done in the Security system preferences, and will result in the main hard-drive partition being encrypted while leaving the recovery partition unencrypted. This setup allows your data, applications, and system software to be fully secured, while also allowing access to the recovery partition so services like Safari-only mode and Recovery can run.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.